Effective CISSP Questions

You are collecting and eliciting stakeholders’ security needs and requirements in a software development project. Which of the following is the least likely tool or technique used? (Wentz QOTD)
A. Fuzzer
B. Misuse case
C. Data flow diagram
D. Requirement traceability matrix

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Fuzzer.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

Software Development Life Cycle (SDLC) - Design
Software Development Life Cycle (SDLC) – Design

Requirements are elicited, collected, analyzed, specified, documented, verified, validated, and managed in the (requirement) analysis. There are many tools and techniques that can be used in requirement management. Surveys, meetings, interviews, workshops, diagrams, charts, templates, etc. are common ones.

Use cases (and misuse/abuse cases), user stories, user/software requirement specification (URS/SRS) are commonly used to express, communicate, and document requirements. The Requirement Traceability Matrix (RTM) is a crucial tool used across the SDLC.

Requirements EngineeringRequirements Engineering
Requirements Engineering

A fuzzer is a testing tool used in the testing stage in the software development life cycle (SDLC).

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are “valid enough” in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are “invalid enough” to expose corner cases that have not been properly dealt with.

Source: Wikipedia


您正在收集和引出軟件開發專業中利害關係人的安全需要(needs)和需求(requirements)。 以下哪個是最不可能使用的工具或技術? (Wentz QOTD)
A. 模糊器(fuzzer)
B. 誤用案例
C. 資料流程圖
D. 需求追溯矩陣

Leave a Reply